Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction.
CVE-2026-7888

8.4HIGH

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 3 June 2026

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2026-7888?

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

Affected Version(s)

Concrete CMS 5.0 < 9.5.2

References

https://documentation.concretecms.org/9-x/developers/intr...

release-notes

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
May 5, 2026

Credit

XananasX7

Sanjorn Keeratirungsan (dizconnect)

CVE-2026-7888 Data

JSON